[kwlug-disc] Vulnerability in bash
B.S.
bs27975 at yahoo.ca
Thu Sep 25 01:05:42 EDT 2014
On Wed, 24 Sep 2014 23:21:57 -0400
"L.D. Paniak" <ldpaniak at fourpisolutions.com> wrote:
> The list should be aware of a newly-announced and particularly nasty
> parsing bug with all versions of bash:
>
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271
>
> The combination of "network exploitable" and "authentication not
> required" make this a "10" on the severity scale.
>
> Updated packages for current versions of Ubuntu look to have been
> pushed out earlier today:
> https://launchpad.net/ubuntu/+source/bash
Presumably, at the least, a post-update logout/login will be necessary
on each machine, if not an entire reboot. (Care to trust that ALL
scripts run between turn on and user prompt use sh not bash? And that
sh hasn't been inadvertently equivalenced to bash?)
Given that most of us probably have a command line up (outside of any
GUI too!), and thus in memory. Updating will catch any new instances,
but not those you're already in the middle of.
I suppose this means rebooting all servers, too. <sigh?>
I wonder if we should expect to see some further script updates to
follow. i.e. 'Inadvertent' taking advantage of 'hole' for non-nefarious
purposes now needing tweaking due to the update. (e.g. Things becoming
broken, albeit things originally written with the best of intentions.)
More information about the kwlug-disc
mailing list